neo4j · fiquick · Apr 18, 2024 · Feb 28, 2024 · Feb 28, 2024 · Feb 28, 2024
diff --git a/modules/ROOT/pages/platform/security.adoc b/modules/ROOT/pages/platform/security.adoc
@@ -255,3 +255,79 @@ TLS v1.2:
 * `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)`
 * `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)`
 * `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)`
+
+== Customer managed keys
+
+label:AuraDB-Enterprise[]
+label:AuraDS-Enterprise[]
+label:beta[]
+
+[CAUTION]
+====
+
+This feature has been released as a public GA for AuraDB Enterprise and AuraDS Enterprise for AWS managed keys. 
+GCP's Cloud Key Management is in public beta, and support for Azure's Key Vault is coming soon.
+====
+
+For more control over key operations than the standard Neo4j encryption, use customer-managed keys. 
+These keys are created and managed using a supported Cloud Key Management Service provider. 
+When using a customer managed key, all data at rest is encrypted with the key.
+
+[WARNING]
+====
+Deleting a key makes all data encrypted under that key unrecoverable.
+Neo4j cannot administer instances when keys are disabled, deleted or permissions revoked. 
+====
+
-
-
+There is a limit of one key for AuraDB and one key for AuraDS per region.
+Depending on the Cloud Key Management Service provider, there may be a delay between disabling a key, 
+and when the key can no longer be used to encrypt and decrypt data.
+
+=== AWS key
+
+* Create a single-region key in the AWS Console ensuring the region matches your Neo4j instance. 
+* Go to security settings in the Aura Console, create a customer managed key and copy the generated JSON code.
+* Within the AWS Console, edit the key policy to include the JSON code. 
+Refer to the example key policy structure for guidance on formatting.
+
+[source,json]
+
+{
+    "Id": "key-consolepolicy-3",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::000000000000:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access for Neo4j",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey",
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "kms:CallerAccount": "000000000000"
+                }
+            }
+        }
+    ]
+}
+